[Snort-sigs] Fw: CVE-2017-9810, CVE-2017-9812 Signatures

Tyler Montier tmontier at sourcefire.com
Mon Jul 31 09:31:23 EDT 2017


Yaser,

Thanks for your submission. We will review the rules and get back to you
when they're finished.

Sincerely,

Tyler Montier
Cisco Talos

On Mon, Jul 31, 2017 at 8:29 AM, Y M via Snort-sigs <
snort-sigs at lists.snort.org> wrote:

> Hello,
>
>
> Below two rules are also derived from the references withing the
> signatures. No pcaps available.
>
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER
> Kaspersky Linux File Server WMC cross site request forgery attempt";
> flow:to_client,established; file_data; content:"/cgi-bin/cgictl?action=setTaskSettings";
> fast_pattern:only; content:"taskId="; nocase; content:"settings=|7B|";
> nocase; metadata:service ftp-data, service http, service imap, service
> pop3; reference:cve,2017-9810; reference:url,www.
> coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-
> Vulnerabilities; classtype:attempted-admin; sid:110002; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER
> Kaspersky Linux File Server WMC path traversal attempt";
> flow:to_server,established; content:"/cgi-bin/cgictl?action=getReportStatus";
> fast_pattern:only; content:"&reportId=../"; distance:0; http_uri; nocase;
> metadata:service ftp-data, service http, service imap, service pop3;
> reference:cve,2017-9812; reference:url,www.coresecurity.com/advisories/
> Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities;
> classtype:attempted-admin; sid:110003; rev:1;)
>
> Thanks.
>
> YM
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170731/b489b9ef/attachment.html>


More information about the Snort-sigs mailing list